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1 Public Key Cryptography 


One of the biggest problems in cryptography is the distribution of keys. Suppose you 
live in the United States and want to pass information secretly to your friend in Europe. 
If you truly want to keep the information secret, you need to agree on some sort of key 
that you and he can use to encode/decode messages. But you don’t want to keep using 
the same key, or you will make it easier and easier for others to crack your cipher. 


But it’s also a pain to get keys to your friend. If you mail them, they might be stolen. If 
you send them cryptographically, and someone has broken your code, that person will 
also have the next key. If you have to go to Europe regularly to hand-deliver the next 
key, that is also expensive. If you hire some courier to deliver the new key, you have to 
trust the courier, et cetera. 


1.1. Trap-Door Ciphers 


But imagine the following situation. Suppose you have a special method of encoding 
and decoding that is “one way” in a sense. Imagine that the encoding is easy to do, but 
decoding is very difficult. Then anyone in the world can encode a message, but only 
one person can decode it. Such methods exist, and they are called “one way ciphers” 
or “trap door ciphers”. 


Here’s how they work. For each cipher, there is a key for encoding and a different key 
for decoding. If you know the key for decoding, it is very easy to make the key for 
encoding, but it is almost impossible to do the opposite—to start with the encoding key 
and work out the decoding key. 


So to communicate with your friend in Europe, each of you has a trap door cipher. You 
make up a decoding key D, and generate the corresponding encoding key £,. Your 
friend does exactly the same thing, but he makes up a decoding key Dy, and generates 
the corresponding encoding key Fy. You tell him £, (but not D,) and he tells you Ey 
(but not Dz). Then you can send him messages by encoding using FE, (which only he 
can decode) and vice-versa—he encodes messages to you using FE, (which only you 
can decode, since you’re the only person with access to D,). 


Now if you want to change to a new key, it is no big problem. Just make up new pairs 
and exchange the encoding keys. If the encoding keys are stolen, it’s not a big deal. 
The person who steals them can only encode messages—they can’t decode them. In 
fact, the encoding keys (sometimes called “public keys”) could just be published in 


a well-known location. It’s like saying, “If you want to send me a private message, 
encode it using this key, and I will be the only person in the world who can read it.” 
But be sure to keep the decoding key (the “private key’’) secret. 


1.2 Certification 


There is, of couse, a problem with the scheme above. Since the public keys are really 
public, anyone can “forge” a message to you. So your enemy can pretend to be your 
friend and send you a message just like your friend can—they both have access to the 
public key. Your enemy’s information can completely mislead you. So how can you be 
certain that a message that says it is from your friend is really from your friend? 


Here is one way to do it, assuming that you both have the public and private keys Ea, 
Ey, Da, and Dp as discussed in the previous section. Suppose I wish to send my friend 
a message that only he can read, but in such a way that he is certain that the message is 
from me. Here’s how to do it. 


I will take my name, and pretend that it is an encoded message, and decode it using 
D,. 1am the only person who can do this, since I am the only person who knows D,. 
Then I include that text in the real message I wish to send, and I encode the whole mess 
using £,, which only my friend knows how to decode. 


When he receives it, he will decode it using Dy, and he will have a message with an 
additional piece of what looks to him like junk characters. The junk characters are what 
I got by “decoding” my name. So he simply encodes the junk using my public key E, 
and makes certain that it is my name. Since I am the only one who knows how to make 
text that will encode to my name, he knows the message is from me. 


You can encode any text for certification, and in fact, you should probably change it 
with each message, but it’s easy to do. Your message to your friend would look like 
this: 

“Attack at dawn. Here is my decoding of *ABCDEFG’: ’JDOLEODK’.” 


To assure privacy, for each message, change the “ABCDEFG” and the corresponding 
“JDLEODK”. 


2 RSA Encryption 


OK, in the previous section we described what is meant by a trap-door cipher, but how 
do you make one? One commonly used cipher of this form is called “RSA Encryption”, 
where “RSA” are the initials of the three creators: “Rivest, Shamir, and Adleman’’. It 
is based on the following idea: 

It is very simply to multiply numbers together, especially with computers. But it can 
be very difficult to factor numbers. For example, if I ask you to multiply together 
34537 and 99991, it is a simple matter to punch those numbers into a calculator and 
3453389167. But the reverse problem is much harder. 


Suppose I give you the number 1459160519. Ill even tell you that I got it by multi- 


plying together two integers. Can you tell me what they are? This is a very difficult 
problem. A computer can factor that number fairly quickly, but (although there are 
some tricks) it basically does it by trying most of the possible combinations. For any 
size number, the computer has to check something that is of the order of the size of 
the square-root of the number to be factored. In this case, that square-root is roughly 
38000. 


Now it doesn’t take a computer long to try out 38000 possibilities, but what if the 
number to be factored is not ten digits, but rather 400 digits? The square-root of a 
number with 400 digits is a number with 200 digits. The lifetime of the universe is 
approximately 10'8 seconds — an 18 digit number. Assuming a computer could test 
one million factorizations per second, in the lifetime of the universe it could check 
1074 possibilities. But for a 400 digit product, there are 10?°° possibilties. This means 
the computer would have to run for 10!” times the life of the universe to factor the 
large number. 


It is, however, not too hard to check to see if a number is prime—in other words to 
check to see that it cannot be factored. If it is not prime, it is difficult to factor, but if it 
is prime, it is not hard to show it is prime. 


So RSA encryption works like this. I will find two huge prime numbers, p and q that 
have 100 or maybe 200 digits each. I will keep those two numbers secret (they are 
my private key), and I will multiply them together to make a number N = pq. That 
number JN is basically my public key. It is relatively easy for me to get N; I just need 
to multiply my two numbers. But if you know JN, it is basically impossible for you 
to find p and q. To get them, you need to factor N, which seems to be an incredibly 
difficult problem. 


But exactly how is N used to encode a message, and how are p and q used to decode 
it? Below is presented a complete example, but I will use tiny prime numbers so it is 
easy to follow the arithmetic. In a real RSA encryption system, keep in mind that the 
prime numbers are huge. 


In the following example, suppose that person A wants to make a public key, and that 
person B wants to use that key to send A a message. In this example, we will suppose 
that the message A sends to B is just a number. We assume that A and B have agreed 
on a method to encode text as numbers. Here are the steps: 


1. Person A selects two prime numbers. We will use p = 23 and q = 41 for this 
example, but keep in mind that the real numbers person A should use should be 
much larger. 


2. Person A multiplies p and q together to get pg = (23)(41) = 943. 943 is 
the “public key”, which he tells to person B (and to the rest of the world, if he 
wishes). 


3. Person A also chooses another number e which must be relatively prime to (p — 
1)(q — 1). In this case, (p — 1)(q — 1) = (22)(40) = 880, so e = 7 is fine. e is 
also part of the public key, so B also is told the value of e. 


4. Now B knows enough to encode a message to A. Suppose, for this example, that 
the message is the number M = 35. 


5. B calculates the value of C = M°(mod N) = 35’(mod 943). 


6. 357 = 64339296875 and 64339296875(mod 943) = 545. The number 545 is 
the encoding that B sends to A. 


7. Now A wants to decode 545. To do so, he needs to find a number d such that 
ed = 1(mod (p — 1)(q — 1)), or in this case, such that 7d = 1(mod 880). A 
solution is d = 503, since 7 * 503 = 3521 = 4(880) + 1 = 1(mod 880). 


8. To find the decoding, A must calculate C¢(mod N) = 545°°3(mod 943). This 
looks like it will be a horrible calculation, and at first it seems like it is, but notice 
that 503 = 256+ 128+ 64+ 324 16+4-+2-+ 1 (this is just the binary expansion 
of 503). So this means that 


545003 = 545 256+ 128+ 644-324 16444241 = 545296545128 etd 5451. 


But since we only care about the result (mod 943), we can calculate all the par- 
tial results in that modulus, and by repeated squaring of 545, we can get all 
the exponents that are powers of 2. For example, 545?(mod 943) = 545 - 
545 = 297025(mod 943) = 923. Then square again: 5454(mod 943) = 
(5457)?(mod 943) = 923 - 923 = 851929(mod 943) = 400, and so on. We 
obtain the following table: 


5451(mod 943 
5457(mod 943 
5454(mod 943) = 400 
545°(mod 943) = 633 


)o = a5 
) 
) 
) 
5451°(mod 943) = 857 
) 
) 
) 
) 


= 923 


5453*(mod 943) = 795 
545° (mod 943) = 215 
545/28(mod 943) = 18 

545° (mod 943) = 324 


So the result we want is: 


545°03 (mod 943) = 324-18 - 215-795-857 - 400 - 923 - 545(mod 943) = 35. 


Using this tedious (but simple for a computer) calculation, A can decode B’s message 
and obtain the original message N = 35. 


2.1 RSA Exercise 


OK, now to see if you understand the RSA decryption algorithm, suppose you are 
person A, and you have chosen as your two primes p = 97 and g = 173, and you have 
chosen e = 5. Thus you told B that N = 16781 (which is just pq) and you told him 
that e = 5. 


He encodes a message (a number) for you and tells you that the encoding is 5347. Can 
you figure out the original message? The answer appears at the end of this document. 


3 How It Works 


RSA cryptography is based on the following theorems: 


Theorem 1 (Fermat’s Little Theorem) /f p is a prime number, and a is an integer 
such that (a, p) = 1, then 
a?~! = 1(mod p). 


Proof: Consider the numbers (a - 1), (a - 2), ...(a- (p — 1)), all modulo p. They 
are all different. If any of them were the same, say a-m = a-n(mod p), then 
a-(m—n) = 0(mod p) so m — n must be a multiple of p. But since all m and n are 
less than p,m =n. 


Thus a-1,a-2,...,a-(p—1) must be a rearrangement of 1,2,..., (p—1). So modulo 
p, we have: 
p-l1 p-1 p-l 
[[:=I[e-t=@ 7 [fi 
i=1 i=1 i=1 


so a?-' = 1(mod p). 


Theorem 2 (Fermat’s Theorem Extension) /f (a,m) = 1 then a®‘™) = 1(mod m), 
where (m) is the number of integers less than m that are relatively prime to m. The 
number m is not necessarily prime. 


Proof: Same idea as above. Suppose ¢(m) = n. Then suppose that the n numbers 
less than m that are relatively prime to m are: 


1,42, 43,-++,4n- 
Then a - a1, a: @2,..., @* Gy are also relatively prime to m, and must all be different, 
so they must just be a rearrangement of the a1, ..., @, in some order. Thus: 


nm n n 
[fa =[fe-a =a" J]a, 
i=l i=l i=l 


modulo m, so a” = 1(mod m). 


Theorem 3 (Chinese Remainder Theorem) Let p and q be two numbers (not neces- 
sarily primes), but such that (p,q) = 1. Then if a = b(mod p) and a = b(mod q) we 
have a = b(mod pq). 


Proof: If a = b(mod p) then p divides (a — b). Similarly, q divides (a — 6). But p 
and q are relatively prime, so pq divides (a — b). Consequently, a = b(mod pq). (This 
is a special case with only two factors of what is usually called the Chinese remainder 
theorem but it is all we need here.) 


3.1 Proof of the Main Result 


Based on the theorems above, here is why the RSA encryption scheme works. 


Let p and q be two different (large) prime numbers, let 0 < M < pq be a secret 
message, let d be an integer (usually small) that is relatively prime to (p — 1)(q — 1), 
and let e be a number such that de = 1(mod (p — 1)(q — 1)). (We will see later how 
to generate this e given d.) The encoded message is C = M*(mod pq), so we need to 
show that the decoded message is given by M = C4(mod pq). 


Proof: Since de = 1(mod (p—1)(q—1)), de = 1+ k(p—1)(q— 1) for some integer 
k. Thus: 
Ct= M% = M'HFe-DG-)D = yy. (M@-D(q-1))k 
If MW is relatively prime to p, then 
M4 = M . (MP-1)*(9-1) = M. (1)*@-) = M(mod p) (1) 


By the extension of Fermat’s Theorem giving M?~! = 1(mod p) followed by a multi- 
plication of both sides by M. But if / is not relatively prime to p, then MW is a multiple 
of p, so equation | still holds because both sides will be zero, modulo p. 


By exactly the same reasoning, 
M® = M- M%1! = M(mod q) (2) 
If we apply the Chinese remainder theorem to equations | and 2, we obtain the result 


we want: M¢* = M(mod pq). 


Finally, given the integer d, we will need to be able to find another integer e such that 


de = 1(mod (p—1)(q—1)). To do so we can use the extension of Fermat’s theorem to 
get d?((P-Yq-)) — 1(mod (p—1)(q—1)), so d¢((e-1)(q-1))-1 (mod (p—1)(q—1)) 
is a suitable value for e. 


3.2 Solution to the Exercise 


The secret message is 16657. 


'Tf the message is long, break it up into a series of smaller messages such that each of them is smaller 
than pq and encode each of them separately. 


